Closed Bug 812746 Opened 13 years ago Closed 12 years ago

developer.mozilla.org attachments allow persistent xss and one xss in fields.

Categories

(developer.mozilla.org :: Security, defect, P2)

Product:
developer.mozilla.org
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: insecurity.ro, Unassigned)

References

Details

(Keywords: reporter-external, sec-high, wsec-xss, Whiteboard: [site:developer.mozilla.org][specification-like][type:bug])

Attachments

(1 file)

dev.jpg
76.97 KB, image/jpeg
Details
Attached image dev.jpg
User Agent: Opera/9.80 (Windows NT 6.1; U; MRA 8.0 (build 5861); en) Presto/2.10.289 Version/12.00 Steps to reproduce: Hello, i found two problems on developer.mozilla.org Actual results: We can see allow attachments and we can create a ..what you want with html, maybe with xml. It's a really dangerous, because this a persistent place. (good free trusted "hosting" for steal cookies or download a virus file or what you want with you html page). https://developer.mozilla.org/files/4277/scriptlet.html And..Bonus..we have a xss in fields: Title & Description: http://i50.tinypic.com/1zftw81.jpg I test this in Opera Browser. Wait for video.
http://www.youtube.com/watch?v=UKUBIyTDyik&feature=youtu.be Our video with second xss in field.
And i have a one question, i don't understand ..why we have noscript and we have xss too?) http://i48.tinypic.com/opc4.jpg
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty?
Keywords: wsec-xss
Simon: Do you know why this was un-marked as a duplicate? Also, can you please copy me on bug 820218?
Status: NEW → UNCONFIRMED
Ever confirmed: false
Flags: needinfo?(sbennetts)
John: I marked bug 820218 as a duplicate of this one :) I've added you to that one.
Flags: needinfo?(sbennetts)
I will file a bug to move developer.m.o uploads off the main domain and look into the history of this bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dchan+bugzilla)
(In reply to David Chan [:dchan] from comment #7) > I will file a bug to move developer.m.o uploads off the main domain and look > into the history of this bug. FWIW, we have a bug for that - https://bugzilla.mozilla.org/show_bug.cgi?id=813564
Depends on: 813564
What is this? Blocks: 835457
Removing needsinfo, since les provided the bug. Sony: 835457 is part of a meta bug system we're trying out for bug bounties. It contains a list of other bounty bugs reported against MDN.
Flags: needinfo?(dchan+bugzilla)
Flags: sec-bounty? → sec-bounty+
Keywords: sec-high
Whiteboard: [site:developer.mozilla.org]
Is this still a security problem considering that bug 813564 was fixed? If not, is it at least still something we want to do?
Flags: needinfo?(lorchard)
Priority: -- → P1
(In reply to John Karahalis [:openjck] from comment #12) > Is this still a security problem considering that bug 813564 was fixed? If > not, is it at least still something we want to do? I think this is fixed? At least, practically speaking, that was the point of bug 813564. We're very permissive with attachments - but, though there might still be an XSS, it's constrained to mdn.mozillademos.org where there should be nothing valuable
Flags: needinfo?(lorchard)
Whiteboard: [site:developer.mozilla.org] → [site:developer.mozilla.org][specification-like][type:bug]
Priority: P1 → P2
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Changing to WORKSFORME as per comment 13. Please open a separate bug if we think we should sanitize attachments for other reasons, like to prevent in-mozillademos XSS.
Resolution: FIXED → WORKSFORME
Just realized what little sense the last part of that comment made. Disregard everything after the comma -- if we want to sanitize attachments for other reasons, despite having them on mozillademos, please open a separate bug.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: